Blog

Daily Blog #183: Sunday Funday 12/22/13 Winner!

Hello Reader, This week an anonymous submitter has won the day, and a 4TB External Hard Drive. It’s important to keep track of what changes, especially when it comes to OS’s that we may not be dealing with daily yet.This week’s answer does a good job at showing some of what’s changed but there is more than you should be aware of. Your greatest challenge in dealing with Windows 8 is just getting all your regular tools to run! With all this said here is this weeks winning answer!

The Challenge:1. Explain the artifacts for execution you can find on windows xp and windows 8 2. For those artifacts that are in the same location for both, explain what differences exist

The Winning Answer:

Program Execution: following are some of the well-known artifacts one may find on Windows XP/7/8 systems along with relevant distinctions across the Windows versions: Application Compatibility Cache: used to determine issues relating to application comp ability with executables; can use to track executables by file name, size, last modified time and last update time (only in WinXP) WinXP –> SYSTEMCurrentControlSetControlSessionManagerAppCompatibility Win7/8 –> SYSTEMCurrentControlSetControlSessionManagerAppCompatCache Jump Lists: unique to versions of Windows 7 and greater, allows users to quickly access frequent/recent selections; can determine first/last time of execution of an application Win7/8 –> C:Users%user%AppDataRoamingMicrosoftWindowsRecentAutomaticDestinations Prefetch: Used by Microsoft Windows for preloading code pages of often-used applications; can use to tell if application had been executed on a system (uses a calculate hash for the directory from where application was ran); may not necessarily be enabled on all systems as there are discrepancies across Windows versions. WinXP/Vista/7/8 –> C:WindowsPrefetch Last Visited MRU: Logs specific executable called by an application for opening files documented in the OpenSaveMRU key; also tracks directory location for the last file accessed by an application. WinXP –> NTUSER.datSoftwareMicrosoftWindowsCurrent VersionExplorerComDig32LastVisitedMRU Win7/8 –> NTUSER.datSoftwareMicrosoftWindowsCurrent VersionExplorerComDig32LastVisitedPidMRU RunMRU Start (Run): logs usage of Start -> Run sequence for loading executables WinXP/7/8 –> NTUSER.datSoftwareMicrosoftWindowsCurrent VersionExplorerRunMRU UserAssist: Tracks GUI-based applications that are launched from the user’s desktop in the launcher on Windows systems WinXP/7/8 –> NTUSER.datSoftwareMicrosoftWindowsCurrent VersionExplorerUserAssist{GUID}Count Where GUID can be on of the following: XP –> 75048700 (Active Desktop) Win7/8 –> CEBFF5CD (.EXE file execution) –> F4E57C4B (Shortcut file execution) –> 6D809377 (ProgramFilesX64) –> 7C5A40EF (ProgramFilesX86) –> 1AC14E77 (System) –> D65231B0 (SystemX86) –> B4BFCC3A (Desktop) –> FDD39AD0 (Documents) –> 374DE290 (Downloads) –> 0762D272 (User Profiles) In addition, one can review Windows Event logs for service related information. Services Events: log of services that were started/stopped; can also identify services that start on boot (ultimately determine file/executable associated with service); requires reviewing event logs; following are relevant event IDs: 7034 –> service crashed unexpectedly 7035 –> Serve sent a Start/Stop command 7036 –> Service started/stopped 7040 –> Start type changed